I used this method to sync the errata to foreman. However I think there are some issues how foreman processes the errata.
I used this python script to process the errata.xml file.GitHub - vmfarms/generate_updateinfo
then proceeded to make a local repository on the host and synced the repo to foreman. All this works just fine.
The issue however seems to be with how foreman handles that information. CESA_2021__5192 for example. According to foreman there are no hosts that this applies to. While according to spacewalk this errata affects hosts that are registered to foreman.
Package installed currently on the host.
samba-common-4.10.16-15.el7_9.noarch
Package that should contain fix for the security issue.
samba-common-4.10.16-17.el7_9.noarch
So I believe that foreman does not correctly inform the admin about what needs to be updated. AFAIK the packages where the version is lower than what is listed on the updated packages here https://access.redhat.com/errata/RHSA-2021:5192 is affected.
Foreman does see that the package needs to be updated but doesn’t inform that there is some errata to be applied to the host even though the errata is synced to the host.
I’m curious wheter this is an issue with how foreman handles this specific errata file or something else. ATM I have not updated the package yet, but I’m guessing that when the package matches the package version on the errata updated packaged foreman might inform that there is errata that need to be applied. I’m currently using this errata file. https://cefs.steve-meier.de/errata.latest.xml.bz2
Also noticing the same, I have imported errata also from the same steve-meier source into a new repo centos7-errata which is in my Product named Centos7.
I can find the latest polkit errata from centos mailing list [CentOS-announce] CESA-2022:0274 Important CentOS 7 polkit Security Update in the Centos7 → Centos7-errata repo in katello. If I select the errata it shows me I have hosts this is applicable to, and I’m redirected to the content page listing those hosts.
The applicable package is installable on those hosts, but that list of hosts shows no security errata available.
If I select the errata it shows me I have hosts this is applicable to, and I’m redirected to the content page listing those hosts.
If I click on the errata it shows no hosts are applicable, and no content hosts are listed. If I select packages, click the applicable package, ie polkit from example above, I then see the count of hosts polkit is installed on, and how many are upgradable. Clicking on upgradable redirects to content → with the following query upgradable_rpms=polkit-0.112-26.el7_9.1.x86_64.
So the errata from the centos7-errata repo doesn’t associate with packages in another repo.
Hi @Stevedd
Do you use a content view? In my case, i see the errata in the repo, but it doesn’t present in published versions of ContentView.
On my Foreman server i’ve created a local repo in /var/www/html/pub/centos_errata/7, then using a script i import and inject errata to the local repo
generate_updateinfo.py -s all -t all -v <(bzip2 -dc /tmp/errata.latest.xml.bz2)
/usr/bin/modifyrepo /tmp/updateinfo-7/updateinfo.xml /var/www/html/pub/centos_errata/7/repodata/
In Foreman i’ve added a new repo, synched it to a local repo https://foreman/pub/centos_errata/7/ (here i see all errata), added this new repo to a CV and published.
There are no errata in published version
It appear only in case if i add an errata by an incremental update:
hammer content-view version incremental-update --content-view-version-id NNNN --errata-ids NNNN --organization XXXX
Finally i’ve found a problem:
my ContentView had a filter for one rpm ( qpid-proton-c ), after deleting this filter and publishing a new version of CV, all errata is visible in the CV version and at the host.
The errata in from the repo doesn’t seem to be associated correctly by foreman. For CESA-2022:0274 polkit-0.112-26.el7_9.1.x86_64.rpm seem to be the solution package which has the vulnerability fixed. So the errata should show all hosts that need to upgraded to that package. For example polkit-0.112-11.el7_3.x86_64 which should be shown as a security errata for that packages simply gets registered to a package which need to be upgraded and not showing errata properly.
I’ve created a separate post regarding that issue but so far no solutions have been provided. I don’t know wether the issue lies in xml file, the script that processes it or in how foreman handles errata from local repos. Errata is shown correctly atleast with AlmaLinuxes.
Well how do you create that repo? I’m wondering if there is some difference on how we create the local repo and that’s the reason why it doesn’t work properly for me.
Steve Meier
Free for non-commercial use
This software is provided AS IS. There are no guarantees. It might kill your cat.
Tue Oct 11 07:13:18 UTC 2022
: File name too long
Metadata not found: updateinfo
Could not add metadata from file /tmp/generate_updateinfo15360/updateinfo-7/updateinfo.xml: /tmp/generate_updateinfo15360/updateinfo-7/updateinfo.xml not found
[root@xxxx tmp]#
This one runs in my test box. Ive already created the repo in Satellite 6.10 GUI as you suggested above. Can you please help on the error
From which location in need to take the “updateinfo.xml” to the run the below command ? Once we run the below command we need to sync from satellite for that repo ?
Our team has created product named “centos” and it has 6 reposiotries. It sync every week and we follow the below steps to update errata info but now we have upgraded to satellite 6.10 the script is not working coz of errata. Ive followed your instruction and created one more repo but im missing something errata info not syncing in. Attached the images.
This “New CVV publications then take in the new errata.” will come only after we run "modifyrepo updateinfo.xml /var/www/html/pub/centos-errata/7/repodata/”. If so from which location i need get the updateinfo.xml file.